[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Backports-security-announce] Security Update for xulrunner

Alexander Reichle-Schmehl uploaded new packages for xulrunner which fixed the
following security problems:


  Mozilla developers identified and fixed several memory safety bugs in
  the browser engine used in Firefox and other Mozilla-based products.
  Some of these bugs showed evidence of memory corruption under certain
  circumstances, and we presume that with enough effort at least some of
  these could be exploited to run arbitrary code.


  Security researcher regenrecht reported via TippingPoint's Zero Day
  Initiative an error in the DOM attribute cloning routine where under
  certain circumstances an event attribute node can be deleted while
  another object still contains a reference to it. This reference
  could subsequently be accessed, potentially causing the execution
  of attacker controlled memory. 


  Security researcher regenrecht reported via TippingPoint's Zero Day
  Initiative an error in Mozilla's implementation of NodeIterator in
  which a malicious NodeFilter could be created which would detach
  nodes from the DOM tree while it was being traversed. The use of
  a detached and subsequently deleted node could result in the
  execution of attacker-controlled memory.


  Security researcher J23 reported via TippingPoint's Zero Day
  Initiative an error in the code used to store the names and values of
  plugin parameter elements. A malicious page could embed plugin content
  containing a very large number of parameter elements which would cause
  an overflow in the integer value counting them. This integer is later
  used in allocating a memory buffer used to store the plugin parameters.
  Under such conditions, too small a buffer would be created and
  attacker-controlled data could be written past the end of the buffer,
  potentially resulting in code execution.


  Security researcher J23 reported via TippingPoint's Zero Day Initiative
  that an array class used to store CSS values contained an integer
  overflow vulnerability. The 16 bit integer value used in allocating the
  size of the array could overflow, resulting in too small a memory buffer
  being created. When the array was later populated with CSS values data
  would be written past the end of the buffer potentially resulting in
  the execution of attacker-controlled memory.


  Security researcher regenrecht reported via TippingPoint's Zero Day
  Initiative an integer overflow vulnerability in the implementation
  of the XUL <tree> element's selection attribute. When the size of a
  new selection is sufficiently large the integer used in calculating
  the length of the selection can overflow, resulting in a bogus range
  being marked selected. When adjustSelection is then called on the
  bogus range the range is deleted leaving dangling references to the
  ranges which could be used by an attacker to call into deleted memory
  and run arbitrary code on a victim's computer.


  Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before
  1.4.3, as used in progressive applications, might allow remote attackers
  to execute arbitrary code via a PNG image that triggers an additional
  data row. 


  Security researcher Yosuke Hasegawa reported that the Web Worker
  method importScripts can read and parse resources from other domains
  even when the content is not valid JavaScript. This is a violation of
  the same-origin policy and could be used by an attacker to steal
  information from other sites.


  Security researcher Jordi Chancel reported that the location bar could
  be spoofed to look like a secure page when the current document was
  served via plaintext. The vulnerability is triggered by a server by
  first redirecting a request for a plaintext resource to another resource
  behind a valid SSL/TLS certificate. A second request made to the original
  plaintext resource which is responded to not with a redirect but with
  JavaScript containing history.back() and history.forward() will result
  in the plaintext resource being displayed with valid SSL/TLS badging in
  the location bar.


  Mozilla Firefox permits cross-origin loading of CSS stylesheets even
  when the stylesheet download has an incorrect MIME type and the
  stylesheet document is malformed, which allows remote HTTP servers to
  obtain sensitive information via a crafted document.


  Security researcher Soroush Dalili reported that potentially sensitive
  URL parameters could be leaked across domains upon script errors when
  the script filename and line number is included in the error message.

For the lenny-backports distribution the problems have been fixed in

For the squeeze and sid distributions the problems have been fixed in

Upgrade instructions
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>
We recommend to pin the backports repository to 200 so that new
versions of installed  backports will be installed automatically. 
  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200

Attachment: signature.asc
Description: Digital signature

Reply to: